在前面的FPS游戏实现GDI透视中,我们通过三角函数,并配合坐标计算出了敌人的位置,该方法时比较笨的一种方式,但却很通用,基本上,只要是FPS类游戏,稍微修改一下代码中的基地址,就可以通用,本次我们将研究通过查找相机矩阵获得自身位置,上一篇文章中我已经讲解了关于各种坐标的找法。
上篇文章(找基址):https://www.cnblogs.com/LyShark/p/11620244.html
快速找基地址:https://www.cnblogs.com/LyShark/p/13519135.html
> 本人坐标x = server.dll+4F2FEC + 288 - 8
> 本人坐标y = server.dll+4F2FEC + 288 - 4
> 本人坐标z = server.dll+4F2FEC + 288
> 敌人x = server.dll+4F2FFC + 288 - 8
> 敌人y = server.dll+4F2FFC + 288 - 4
> 敌人z = server.dll+4F2FFC + 288
> 鼠标 x = engine.dll+61D254 + 4
> 鼠标 y = engine.dll+61D254
> 鼠标 x = client.dll+4C0300 + 4
> 鼠标 y = client.dll+4C0300
> FOV = client.dll+5046F0
> FOV = client.dll+504628
> FOV = client.dll+5047B8
> FOV = client.dll+50489C
> FOV = engine.dll+3C1720
> 算上我自己的人机数量: server.dll+4EEFE8
> 算上我自己的人机数量: engine.dll+5D29BC
> 不算我自己的人机数量: server.dll+4EEFE0
> 不算我自己的人机数量: server.dll+588878
自己血量偏移 = e4
> 自己血量: server.dll+54B6C8
> 自己血量: server.dll+54A82C
> 自己血量: server.dll+4F2FEC
> 敌人血量: server.dll + 4F2FFC + e4
> 本人阵营: server.dll+4F2FEC + 1F4
> 敌人阵营: server.dll+4F2FFC + 1F4
> 本人阵营: server.dll+54A82C + 1F4
> 本人阵营: server.dll+54B6C8 + 1F4
熟悉矩阵特点
通常情况下Dx9中会采用4*4的矩阵,这里我分别找了三款CS系列游戏的矩阵,并来分析一下他们的异同点。
1.找矩阵的方法就是不断移动自己相机位置,最好拿把狙击枪,然后开镜搜索变动的数值,移动身体搜索变动数值,或者是开镜移动身体搜索变动的数值,
这样配合来找,最终可以锁定在2000个数值左右,然后就可以开找,通常矩阵头晃动鼠标不会出现大于3的值,一般会在-0.x - 1.x 之间徘徊。
竖矩阵的第三个值,通常为0,就算乱晃,也会保持0的位置。
找到矩阵地址,当我们让人物只跳动时,矩阵呈现出来的效果如下。
上下晃动鼠标,矩阵呈现出来的效果如下。
左右晃动鼠标,矩阵呈现出来的效果如下。
开启关闭狙击镜,矩阵变化。
完全乱晃状态如下,4*4
矩阵,不只一个,如下是另一处,矩阵的数据。
另一处矩阵位置。
人物死后,矩阵被初始化。
不是矩阵的矩阵
第一种不是矩阵的情况,数据跳动幅度较乱,并且不是4*4在跳动,而是很多行。
第二种,混乱无序,不连贯,不是一个结构体,不是矩阵。
第三种,最常见的乱序,不是矩阵。
第四种,加密后的地址,晃动鼠标,不会发生任何变化。
代码中相机对应关系
相机X对应关系
相机Y对应关系
相机Z对应关系,我们只用到了前三行,后面的不用了。
4x4竖矩阵,是这样,只是前三行,最后跑到了下面。
如果是横矩阵会发生变化,如下。
所以上面的算法部分,需要稍微小改一下,即可完成横矩阵的透视效果。
番外篇(转载一段代码)
在前面的GID透视教程中我使用的是易语言封装的DC函数实现的外部透视,今天在网上找到一个别人用C#实现的透视代码,我把它转过来备份一下哈,其实原理是差不多的,基本上就是写法会有些变化汉语变英文。
转载了别人的东西,多少还是要留下来源,以表示对作者成果的尊重:https://www.cnblogs.com/xuexidememeda/
c# 调用dll封装类
class DllHelper
{
public const int COLORBLACK = 0;//黑色
public const int COLORWHITE = 16777215;//#白色
public const int COLORPINKISHRED = 16711935;//#品红
public const int COLORCYAN = 8388608;//#藏青
public const int COLORGREEN = 32768;//#墨绿
public const int COLORDEEPCYAN = 8421376;//#深青
public const int COLORYELLOW = 65535;//#黄色
public const int COLORBLUE = 16711680;//#蓝色
public const int COLORRED = 255;//#红色
public const int COLOGRAY = 8421504;//#灰色
public const int COLOORANGE = 33023;//#橙黄
[DllImport("SoftwareHelper.dll", EntryPoint = "InitDX11")]
public static extern void InitDX11(int wordsize);//初始化一个dx11透明窗口参数为字体大小建议15
[DllImport("SoftwareHelper.dll", EntryPoint = "SafetyQuit")]
public static extern void SafetyQuit();//安全退出放在窗口是否可以被关闭事件卸载绘图
[DllImport("SoftwareHelper.dll", EntryPoint = "SetWindowPos_Top")]
public static extern bool SetWindowPos_Top(int handle);//设置窗口置顶参数为窗口句柄
[DllImport("SoftwareHelper.dll", EntryPoint = "MoveWindows")]
public static extern void MoveWindows(int handle,int newleft,int newtop,int newwidth,int newheight);//移动窗口 窗口句柄 窗口左边 窗口顶部 窗口高度宽度
[DllImport("SoftwareHelper.dll", EntryPoint = "DrawText")]//写字
public static extern void DrawText(int X, int Y, string text, int color); //屏幕xy 和文本 颜色用上面定义的常量
[DllImport("SoftwareHelper.dll", EntryPoint = "DrawLine")]//画线
public static extern void DrawLine(int X, int Y, int Xend, int Yend, int linePx, int color);//x为开始x坐标 x1为结束x坐标 linepx为线宽度 颜色用上面定义的常量
[DllImport("SoftwareHelper.dll", EntryPoint = "ProcessIsExist")]//判断指定进程是否存在(此判断与进程其它信息无关联)(存在返回真,不存在或失败返回假)
public static extern bool ProcessIsExist(string processname);//进程名称带后zhui
[DllImport("SoftwareHelper.dll", EntryPoint = "DrawSquare")]//画出描边方框
public static extern void DrawSquare(int X, int Y, int W, int H ,int colorout, int colorin,int linepx);//colorout外部方框颜色 in为内部 linepx线宽
[DllImport("SoftwareHelper.dll", EntryPoint = "GetDX11CreateWindowHandle")]//得到对象dx11创建的透明窗口句柄 为了防止重复和游戏 枚举窗口名称为 DX11t?h?i?s? ?i?s? ?y?o?u? ?w?i?n?d?o?w?
public static extern int GetDX11CreateWindowHandle();
[DllImport("SoftwareHelper.dll", EntryPoint = "OptimizeCUP")]//优化cup防止绘制卡
public static extern void OptimizeCUP(int time);//毫秒
[DllImport("SoftwareHelper.dll", EntryPoint = "OptimizeDelayed")]//优化延时
public static extern void OptimizeDelayed(int time);//毫秒
[DllImport("SoftwareHelper.dll", EntryPoint = "OptimizeSystem")]//系统处理事件同样是为了优化cup防止卡
public static extern void OptimizeSystem();
[DllImport("SoftwareHelper.dll", EntryPoint = "StartDrawing")]//开始绘图 绘图前调用
public static extern void StartDrawing();
[DllImport("SoftwareHelper.dll", EntryPoint = "EndDrawing")]//结束绘图 绘图结束调用
public static extern void EndDrawing();
[DllImport("SoftwareHelper.dll", EntryPoint = "MouseMoveInGame")]//鼠标可以在游戏内移动游戏外部自瞄调用
public static extern void MouseMoveInGame(int handle,int x,int y);//游戏窗口句柄 xy坐标
}
c#内存辅助类
class GameUtil
{
public struct RECT
{
public int Left; //最左坐标
public int Top; //最上坐标
public int Right; //最右坐标
public int Bottom; //最下坐标
}
public struct RECTClient
{
public uint Left;
public uint Top;
public uint Right;
public uint Bottom;
}
public struct LPPOINT
{
public int x;
public int y;
}
[DllImport("kernel32.dll", EntryPoint = "ReadProcessMemory")]
public static extern int _MemoryReadByteSet(int hProcess, int lpBaseAddress, byte[] lpBuffer, int nSize, int lpNumberOfBytesRead);
[DllImport("kernel32.dll", EntryPoint = "ReadProcessMemory")]
public static extern int _MemoryReadInt32(int hProcess, int lpBaseAddress, ref int lpBuffer, int nSize, int lpNumberOfBytesRead);
[DllImport("kernel32.dll", EntryPoint = "WriteProcessMemory")]
public static extern int _MemoryWriteByteSet(int hProcess, int lpBaseAddress, byte[] lpBuffer, int nSize, int lpNumberOfBytesWritten);
[DllImport("kernel32.dll", EntryPoint = "WriteProcessMemory")]
public static extern int _MemoryWriteInt32(int hProcess, int lpBaseAddress, ref int lpBuffer, int nSize, int lpNumberOfBytesWritten);
[DllImport("kernel32.dll", EntryPoint = "GetCurrentProcess")]
public static extern int GetCurrentProcess();
[DllImport("kernel32.dll", EntryPoint = "OpenProcess")]
public static extern int OpenProcess(int dwDesiredAccess, int bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll", EntryPoint = "CloseHandle")]
public static extern int CloseHandle(int hObject);
[DllImport("kernel32.dll", EntryPoint = "RtlMoveMemory")]
public static extern int _CopyMemory_ByteSet_Float(ref float item, ref byte source, int length);
const int PROCESS_POWER_MAX = 2035711;
[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(IntPtr hProcess, int lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesRead);
[DllImport("user32.dll")]
[return: MarshalAs(UnmanagedType.Bool)]
static extern bool GetWindowRect(IntPtr hWnd, ref RECT lpRect);
[DllImport("user32")]
public static extern bool GetClientRect(IntPtr hwnd,out RECTClient lpRect );
[DllImport("user32")]
public static extern bool ClientToScreen(IntPtr hwnd, out LPPOINT point);
//打开进程
//kernel32.dll系统动态链接库
[DllImportAttribute("kernel32.dll", EntryPoint = "OpenProcess")]
public static extern IntPtr OpenProcess
(
int iAccess,
bool Handle,
int ProcessID
);
//关闭句柄
[DllImport("kernel32.dll", EntryPoint = "CloseHandle")]
private static extern void CloseHandle
(
IntPtr hObject
);
//取窗口句柄 FindWindow
[DllImport("User32.dll", EntryPoint = "FindWindow")]
public extern static IntPtr FindWindow(string lpClassName, string lpWindowName);
[DllImport("User32.dll", EntryPoint = "FindWindowEx")]
public static extern IntPtr FindWindowEx(IntPtr hwndParent, IntPtr hwndChildAfter, string lpClassName, string lpWindowName);
//移动窗口
/// <summary>
/// 设置目标窗体大小,位置
/// </summary>
/// <param name="hWnd">目标句柄</param>
/// <param name="x">目标窗体新位置X轴坐标</param>
/// <param name="y">目标窗体新位置Y轴坐标</param>
/// <param name="nWidth">目标窗体新宽度</param>
/// <param name="nHeight">目标窗体新高度</param>
/// <param name="BRePaint">是否刷新窗体</param>
/// <returns></returns>
[DllImport("user32.dll", CharSet = CharSet.Auto)]
public static extern int MoveWindow(IntPtr hWnd, int x, int y, int nWidth, int nHeight, bool BRePaint);
//---------------------------------------------------------------------------------------------------------------
/// <summary>
/// 读内存整数型
/// </summary>
/// <param name="pID">进程ID</param>
/// <param name="bAddress">0x地址</param>
/// <returns>0失败</returns>
public static int ReadMemoryInt32(int pID, int bAddress)
{
int num = 0;
int handle = getProcessHandle(pID);
int num3 = GameUtil._MemoryReadInt32(handle, bAddress, ref num, 4, 0);
GameUtil.CloseHandle(handle);
if (num3 == 0)
{
return 0;
}
else
{
return num;
}
}
/// <summary>
/// 写内存整数型
/// </summary>
/// <param name="pID">进程ID</param>
/// <param name="bAddress">0x地址</param>
/// <param name="value">写入值</param>
/// <returns>false失败 true成功</returns>
public static bool WriteMemoryInt32(int pID, int bAddress, int value)
{
int handle = getProcessHandle(pID);
int num2 = GameUtil._MemoryWriteInt32(handle, bAddress, ref value, 4, 0);
GameUtil.CloseHandle(handle);
return num2 != 0;
}
/// <summary>
/// 读内存小数型
/// </summary>
/// <param name="pID">进程ID</param>
/// <param name="bAddress">0x地址</param>
/// <returns>0失败</returns>
public static float ReadMemoryFloat(int pID, int bAddress)
{
//byte[] array = test.GetVoidByteSet(4);
byte[] array = new byte[4];//不取空字节集也可以正确转换成单精度小数型
int handle = getProcessHandle(pID);
int temp = GameUtil._MemoryReadByteSet(handle, bAddress, array, 4, 0);
if (temp == 0)
{
return 0f;
}
else
{
return GameUtil.getFloatFromByteSet(array, 0);
}
}
/// <summary>
/// 写内存小数型
/// </summary>
/// <param name="pID">进程ID</param>
/// <param name="bAddress">0x地址</param>
/// <param name="value">写入数据</param>
/// <returns>false失败</returns>
public static bool WriteMemoryFloat(int pID, int bAddress, float value)
{
//byte[] byteSet = test.GetByteSet(value);
byte[] byteSet = BitConverter.GetBytes(value);//https://msdn.microsoft.com/en-us/library/yhwsaf3w
//byte[] byteSet = Encoding.GetEncoding("gb2312").GetBytes(value.ToString());
return GameUtil.WriteMemoryByteSet(pID, bAddress, byteSet, 0);
}
/// <summary>
/// 写内存字节集
/// </summary>
/// <param name="pID">进程ID</param>
/// <param name="bAddress">0x地址</param>
/// <param name="value">字节数据</param>
/// <param name="length">写入长度 0代表字节数据的长度</param>
/// <returns>false失败</returns>
private static bool WriteMemoryByteSet(int pID, int bAddress, byte[] value, int length = 0)
{
int handle = GameUtil.getProcessHandle(pID);
int nSize = (length == 0) ? value.Length : length;
int tmp = GameUtil._MemoryWriteByteSet(handle, bAddress, value, nSize, 0);//byte[]属于引用类型 引用类型不用ref也是以传址方式进行运算
//test.CloseHandle(pID);
return tmp != 0;
}
/// <summary>
/// 取空白字节集
/// </summary>
/// <param name="num"></param>
/// <returns></returns>
public static byte[] getVoidByteSet(int num)
{
if (num <= 0)
{
num = 1;
}
string text = "";
for (int i = 0; i < num; i++)
{
text += "0";
}
return Encoding.UTF8.GetBytes(text);
}
/// <summary>
/// 取进程句柄
/// </summary>
/// <param name="pID">进程ID</param>
/// <returns>进程句柄</returns>
public static int getProcessHandle(int pID)
{
if (pID == -1)
{
return GameUtil.GetCurrentProcess();
}
else
{
return GameUtil.OpenProcess(PROCESS_POWER_MAX, 0, pID);
}
}
/// <summary>
/// 字节集转小数型
/// </summary>
/// <param name="sourceValue">字节集</param>
/// <param name="index">索引</param>
/// <returns></returns>
public static float getFloatFromByteSet(byte[] sourceValue, int index)
{
float result = 0f;
GameUtil._CopyMemory_ByteSet_Float(ref result, ref sourceValue[index], 4);
return result;
}
/// <summary>
/// 获取字节集
/// </summary>
/// <param name="data">需要转换到字节集的数据</param>
/// <returns></returns>
public static byte[] getByteSet(float data)
{
return Encoding.UTF8.GetBytes(data.ToString());
}
//根据名称取进程PID 不得有后缀.exe
//根据进程名获取PID 不得有后缀.exe
public static int getPidByProcessName(string processName)
{
Process[] ArrayProcess = Process.GetProcessesByName(processName);
foreach (Process pro in ArrayProcess)
{
return pro.Id;
}
return 0;
}
//获取模块地址
public static int getMoudleAddress(string processName ,string dllname )
{
foreach (Process p in Process.GetProcessesByName(processName))
{
foreach (ProcessModule m in p.Modules)
{
if (m.ModuleName.Equals(dllname))
return (int)m.BaseAddress;
}
}
return 0;
}
//取窗口句柄 这里传入的值是窗口标题
public static IntPtr getWindowsHandler_findwindow(String classname,String windowtitle)
{
IntPtr maindHwnd = FindWindow(classname, windowtitle); //获得QQ登陆框的句柄
return maindHwnd;
}
public static RECT getWindowsRect(IntPtr windowsHandler)
{
RECT rec = new RECT();
GetWindowRect(windowsHandler, ref rec);//h为窗口句柄
return rec;
}
}
窗口类c#
public partial class Form1 : Form
{
int PID;
int matrix;//矩阵基质
float formwidth;//窗口宽度
float formheight;//窗口高度
int processmoudle;//进程模块;
IntPtr windowshandle;//窗口句柄
int dx11hwnd;//dx11创建的透明窗口句柄
private void loop()//循环
{
while (true)
{
Util.DllHelper.OptimizeCUP(2);//防止占用cpu
reflushWindows();
startDrawit();
Util.DllHelper.OptimizeDelayed(1);//防止占用cpu
}
}
private void intData()
{
PID= Util.GameUtil.getPidByProcessName("cstrike");
windowshandle=Util.GameUtil.getWindowsHandler_findwindow("Valve001", "Counter-Strike");
processmoudle=Util.GameUtil.getMoudleAddress("cstrike", "cstrike.exe");
matrix = processmoudle + 25297152;
formwidth= Util.GameUtil.getWindowsRect(windowshandle).Right - Util.GameUtil.getWindowsRect(windowshandle).Left;
formheight= Util.GameUtil.getWindowsRect(windowshandle).Bottom - Util.GameUtil.getWindowsRect(windowshandle).Top;
//this.ShowInTaskbar = false;//任务栏显示为假
Debug.Print(PID + "PID" + "windowshandle" + windowshandle + "matrix" + matrix + "formwidth" + formwidth + "formheight" + formheight);
}
private void startIt()
{
Util.DllHelper.InitDX11(14);//初始化dx11
dx11hwnd = Util.DllHelper.GetDX11CreateWindowHandle();//取得dx11创建的透明窗口的句柄
if (dx11hwnd == 0) MessageBox.Show("DX11加载失败"); else MessageBox.Show("DX11加载成功");
reflushWindows();
loop();
}
private void startDrawit()
{
Util.DllHelper.StartDrawing();//开始绘图
Util.DllHelper.DrawText(0, 0, "C#dx11", Util.DllHelper.COLORYELLOW);
worldtoScreen();
Util.DllHelper.EndDrawing();//结束绘图
}
private void worldtoScreen()//游戏世界转屏幕
{
float arr00 = Util.GameUtil.ReadMemoryFloat(PID, matrix);
float arr01 = Util.GameUtil.ReadMemoryFloat(PID, matrix + 4);
float arr02 = Util.GameUtil.ReadMemoryFloat(PID, matrix + 8);
float arr03 = Util.GameUtil.ReadMemoryFloat(PID, matrix + 12);
float arr10 = Util.GameUtil.ReadMemoryFloat(PID, matrix + 16);
float arr11 = Util.GameUtil.ReadMemoryFloat(PID, matrix + 20);
float arr12 = Util.GameUtil.ReadMemoryFloat(PID, matrix + 24);
float arr13 = Util.GameUtil.ReadMemoryFloat(PID, matrix + 28);
float arr20 = Util.GameUtil.ReadMemoryFloat(PID, matrix + 32);
float arr21 = Util.GameUtil.ReadMemoryFloat(PID, matrix + 36);
float arr22 = Util.GameUtil.ReadMemoryFloat(PID, matrix + 40);
float arr23 = Util.GameUtil.ReadMemoryFloat(PID, matrix + 44);
float arr30 = Util.GameUtil.ReadMemoryFloat(PID, matrix + 48);
float arr31 = Util.GameUtil.ReadMemoryFloat(PID, matrix + 52);
float arr32 = Util.GameUtil.ReadMemoryFloat(PID, matrix + 56);
float arr33 = Util.GameUtil.ReadMemoryFloat(PID, matrix + 60);
//得到矩阵所有值
float sightwidth = formwidth / 2;//视角宽
float sightheight = formheight / 2;//视角高
float enemy_x = Util.GameUtil.ReadMemoryFloat(PID, processmoudle + 17369300 - 8);
float enemy_y = Util.GameUtil.ReadMemoryFloat(PID, processmoudle + 17369300 - 4);
float enemy_z = Util.GameUtil.ReadMemoryFloat(PID, processmoudle + 17369300);
float camera_Z = arr02 * enemy_x + arr12 * enemy_y + arr22 * enemy_z + arr32;
if (camera_Z <= 0.01) return;
float zoom = 1 / camera_Z;//缩放比例
float camera_x = sightwidth + (arr00 * enemy_x + arr10 * enemy_y + arr20 * enemy_z + arr30) * zoom * sightwidth;
float camera_y = sightheight - (arr01 * enemy_x + arr11 * enemy_y + arr21 * (enemy_z + 30) + arr31) * zoom * sightheight * 1;
float camera_y2 = sightheight - (arr01 * enemy_x + arr11 * enemy_y + arr21 * (enemy_z - 50) + arr31) * zoom * sightheight * 1 - 20;
float squareheight = camera_y2 - camera_y;//方框高度
Util.DllHelper.DrawSquare((int)(camera_x - squareheight / 4), (int)camera_y,(int) (squareheight / 2), (int)squareheight, Util.DllHelper.COLORYELLOW, Util.DllHelper.COLORRED,1);//绘制方框
Util.DllHelper.OptimizeSystem();//系统处理事件防止cup过多
Util.DllHelper.DrawLine((int)sightwidth,0, (int)camera_x, (int)camera_y,1,Util.DllHelper.COLORBLUE);//画直线
}
private void reflushWindows()//刷新窗口
{
Util.GameUtil.RECTClient rec = new Util.GameUtil.RECTClient() ;
Util.GameUtil.LPPOINT point = new Util.GameUtil.LPPOINT();
Util.GameUtil.GetClientRect(windowshandle,out rec);
Util.GameUtil.ClientToScreen(windowshandle, out point);
formwidth = rec.Right-rec.Left;
formheight = rec.Bottom-rec.Top ;
Util.DllHelper.MoveWindows(dx11hwnd, point.x, point.y, (int)formwidth, (int)formheight);
Util.DllHelper.SetWindowPos_Top(dx11hwnd);
}
public Form1()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
startIt();
}
private void Form1_Load(object sender, EventArgs e)
{
intData();
}
private void Form1_FormClosing(object sender, FormClosingEventArgs e)
{
// Util.DllHelper.SafetyQuit();
Environment.Exit(0);
}
}